Skip to content

Securely pin node version #1260

New issue
New issue
Open
Open
Securely pin node version#1260
Labels
feature requestNew feature or request to improve the current logic
@ned

Description

@ned
ned
opened on Mar 27, 2025

Description:
Allow specifying the sha256 of the node binary in addition to the node version. If the asset fails to match the expected sha256, we should error.
If specifying the sha256 is not feasible, we could allow specifying the git commit of the release (https://github.com/actions/node-versions/releases).

Justification:
Ensure that any 3rd party code that runs in GitHub actions is locked down to known hashes.

Are you willing to submit a PR?
Yes, once the details are ironed out.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature requestNew feature or request to improve the current logic

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions